IBM Support

IJ12107: EXCEPTION THROWN AFTER MAXMIND DATABASE IS UPDATED CAN CAUSE MULTIPLE QRADAR PROCESSING ISSUES

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as duplicate of another APAR.

Error description

  • It has been identified that when the Maxmind database (used for
    geolocation updates) is updated, QRadar processing issues with
    the Custom Rule Engine (CRE), including failure of Offense
    generation, can occur due to an uncaught thread exception.
    Messages similar to the following might be visible in
    /var/log/qradar.error on affected appliances when this issue is
    occurring:
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: Preprocessor(events)_9
    java.lang.InternalError: SIGBUS
        at com.maxmind.db.Reader.readNode(Reader.java:219)
        at com.maxmind.db.Reader.findAddressInTree(Reader.java:174)
        at com.maxmind.db.Reader.get(Reader.java:146)
        at
    com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:151)
        at
    com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:202)
        at
    com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti
    ls.java:531)
        at
    com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti
    ls.java:384)
        at
    com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti
    ls.java:336)
        at
    com.q1labs.core.types.event.NormalizedEventProperties$SourceGeog
    raphicLocation.createKey(NormalizedEventProperties.java:73)
        at
    com.q1labs.core.types.event.NormalizedEventProperties$SourceGeog
    raphicLocation.createKey(NormalizedEventProperties.java:65)
        at
    com.q1labs.cve.accumulation.ObjectArrayAccessors$ObjectArrayAcce
    ssor.getKey(ObjectArrayAccessors.java:355)
        at
    com.q1labs.cve.accumulation.ObjectArrayAccessors.getKey(ObjectAr
    rayAccessors.java:265)
        at
    com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(Obj
    ectArrayAccessors.java:233)
        at
    com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Prep
    rocessor.java:26)
        at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
        at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
        at java.lang.Thread.run(Thread.java:811)
    

Local fix

  • When verified that a QRadar appliance(s) is experiencing the
    CRE issue as defined above, a restart of the ecs-ep service via
    command line (SSH) on the affected appliance(s) can be used to
    correct the issue:
    # systemctl restart ecs-ep
    To prevent this from reoccuring until a QRadar Fix Pack is
    released to address the issue, you can disable updates of the
    maxmind/geographic data file using these steps:
    - Admin tab -> System Settings / Geographic Settings
    - Set "Disable Automatic content Updates" to "True" (default is
    False)
    Contact Support if additional assistance for diagnosing or
    correcting this issue is required.
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • This APAR is a duplicate of IJ04898.
    

APAR Information

  • APAR number

    IJ12107

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED DUB

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-12-11

  • Closed date

    2019-08-09

  • Last modified date

    2019-08-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
09 August 2019